Security of six-state quantum key distribution protocol with threshold detectors 
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We prove the unconditional security of the six-state protocol with threshold detectors and one- 
way classical communication. Unlike the four-state protocol (BB84), it has been proven that the 
squash operator for the six-state does not exist, i.e., the statistics of the measurements cannot be 
obtained via measurement on qubits. We propose a technique to determine which photon number 
states are important, and we consider a fictitious measurement on a qubit, which is defined through 
the squash operator of BB84, for the better estimation of Eve's information. As a result, we prove 
that the bit error rate threshold for the six-state protocol (12.611%) remains almost the same as 
the one of the qubit-based six-state protocol (12.619%). This clearly demonstrates the robustness 
of the six-state protocol against the use of the practical devices. 

PACS numbers: 03.67.-a,03.67.Dd 



Quantum key distribution (QKD) allows legitimated 
users to securely communicate, and the security of QKD, 
especially qubit-based QKD, has been well studied so far 
[l| . Since we have to assume any possible attack when we 
consider the security, the assumption of qubit-detection 
must be confirmed or at least its fraction must be esti- 
mated with the use ofphoton number resolving detectors, 
detector decoy idea [2j, or estimation method via moni- 
toring the double click event [3] , all of which require some 
modifications to QKD protocols. 

Another approach for the security proof of QKD with 
threshold detectors is to consider the so-called squash 
operator [4j which squashes an optical mode down to a 
qubit state. This approach only requires to assign the 
double-click event (detectors "0" and "1" simultaneously 
click) to a random bit value, which is reasonable [5j. The 
existence of the squash operator for BB84-type measure- 
ment has been proven [(| 0], i.e., the statistics of the 
outcomes of the BB84 measurement can be interpreted 
as if it stemmed from the BB84 measurement on qubits 
whatever optical signal Bob actually receives. 

One might think that the squash operator should exist 
for any measurement with two outcomes, including the 
measurement of the six-state protocol [§| , where we per- 
form measurements along a basis, Y basis, in addition to 
X and Z bases in BB84. In the case of the qubit-based 
six-state protocol, the measurement along the extra basis 
lets us learn more about Eve's information gain, resulting 
in a higher bit error rate threshold than that of BB84, 
which is a main advantage of the qubit-based six-state 
protocol over BB84. Unfortunately, it turns out that the 
squash operator for the six-state protocol is proven not 
to exist [7[ , and it is unknown whether the advantage still 
holds with the use of threshold detectors. 

Intuitively, sending more than one-photon is not useful 
for the eavesdropping since it may only increase the bit 
error rate, and it is hard to imagine that the advantage 



of the qubit-based six-state protocol suddenly vanishes 
once we lose information about which signal is a single- 
photon. In other words, to consider the security of the 
six-state protocol with threshold detectors is to consider 
the robustness of a qubit-based QKD protocol even if 
there is no squash operator. This is indeed one of the 
essential features that any practical qubit-based QKD 
must possess, and this issue must be seriously taken into 
account for the design of a qubit-based QKD protocol. 

In this letter, we prove the robustness of the six-state 
protocol by showing the bit error rate threshold remains 
almost the same (12.611%) compared to the one of the 
qubit-based six-state protocol (12.619%). This result 
shows that sending multiple photons hardly helps Eve, 
which confirms the intuition mentioned above. The rate 
is clearly larger than the rate of BB84 with threshold 
detectors (11.002%) HQ, and this demonstrates the ad- 
vantage of using two additional states in the practical 
situation. We remark that our work assumes the use of a 
single-photon as the information carrier, but we can triv- 
ially accommodate the use of an attenuated laser source 
by GLLP idea Q. 

This letter is organized as follows. We start with a 
brief description of how the protocol works, and then we 
move on to relatively long outlining the proof, and we de- 
vote the rest of the paper to a more detailed explanation. 
Finally, we summarize this letter. 

Since polarization state of a single-photon and the i- 
spin state are mathematically equivalent, we use ^-spin 
notation for the explanation in this letter. In the six- 
state protocol, Alice first generates a random bit value 
b = — 1,1 and choose one basis a randomly out of three 
bases X, Y, and Z. Then, she sends over a quantum 
channel a qubit with state being \a,b) that is the eigen 
state of a basis of i-spin whose eigen value is 6/2. Bob 
randomly chooses one basis randomly out of the three 
bases, and he measures the spin along the chosen di- 
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rection. Alice and Bob compare over a public channel 
the bases they used, and keep the bit value if the bases 
match, othrewise discard it. Alice and Bob repeat this 
step many times, and they apply bit error correction Q 
and privacy amplification [9( to the resulting bit string 
(sifted key), and they share the key. 

Next, we outline our proof. Our proof employs the se- 
curity proof based on complementarity scenario proposed 
by Koashi In this proof, we consider two protocols, 
one is the actual protocol which Alice and Bob actually 
conduct, and the other one is a virtual protocol. Let us 
assume that Alice has a qubit state, which may be fic- 
titious, and let Z basis be Alice's key generating qubit 
basis. The goal of the actual protocol is that Bob agrees 
on Alice's bit values along Z basis. On the other hand, 
the goal of the virtual protocol is to create an eigen state 
of an observable X, which is conjugate to Z, with the 
help of Alice and Bob's arbitrary quantum operations 
that commute with Alice's key generating measurement. 
It is proven that if Alice and Bob are free to choose which 
protocol to execute after the actual classical and quan- 
tum communication and if they can accomplish its goal 
whichever choice they have made, then unconditionally 
secure key can be distilled. 

In order to define Alice's qubit in the six-state protocol, 
suppose that Alice first prepares a qubit pair in the state 
-^ (\Z-i) \Z X ) - \Z X ) [HI (we choose this singlet 

state to fully make use of its symmetry later), measures 
one of the qubit by X, Y, or Z-basis, and sends the other 
qubit to Bob. Since this process outputs the exactly the 
same state as the one of the actual protocol, we are al- 
lowed to work on this scenario without losing any gen- 
erality. In the case that we consider the security of the 
key generated along Z basis, and once Alice and Bob can 
generate \Xi) state in Alice's side in the virtual protocol 
then we are done since the agreement on the bit value 
in the actual protocol can be trivially made via classical 
error correction over a public channel (the syndrome is 
either encrypted [l2[ or not (HI). 

For the generation of \Xi) state, an important quan- 
tity is the so-called phase error rate, which is the ratio 
that Bob's estimation of Alice's bit string in X-basis re- 
sults in erroneous, and if the estimation of the phase 
error rate is exponentially reliable then Alice can gen- 
erate by random hashing along X-basis [13 - [l4| . 
More precisely, the key generation rate G, assuming a 
perfect bit error correcting code, can be expressed as 
G = n s a [1 — H(X) — H(Z\X)]. Here, n$a is the empiri- 
cal probability of having the sifted key, H(X) is Shannon 
entropy of the bit error, and H{Z\X) is Shannon entropy 
of the phase error conditional on the bit error pattern. 
In other words, n s aH(X) is the number of the hashing 
along Z-basis needed for the agreement of the bit values 
in the actual protocol and n s \iH{Z\X) is the one along 
X-basis needed for the generation of the X-basis eigen 
state in the virtual protocol [l(|. Hence, the key for the 
improvement in the key generation rate is how to mini- 
mize the conditional entropy H(Z\X). 



For the estimation, we assume without loss of gener- 
ality that states received by Bob are classical mixtures 
of photon number eigen states, and let Pn be the prob- 
ability of receiving a state having N photons [l5[ . Since 
we have no direct access to Pjv, we have to assume the 
worst case scenario where Eve maximizes the induced 
phase error rate by classically mixing up each photon 
number state and sending them to Bob. As we will see 
later, it can be proven that states with photon number 
being greater than 3 induces too much bit errors and 
we can neglect those states for the analysis. Hence, we 
can concentrate only on N — 1,2,3 cases, and especially 
we want to derive the corresponding mutual information 
between the bit and phase errors. 

To compute the mutual information, wc introduce 
Bob's qubit by employing the BB84 squash operator, and 
we have to estimate what statistics we would have ob- 
tained if we had performed the measurement along Y 
basis onto the resulting qubit (here, "tilde" means that 
this is about a qubit space and fictitous). In general, 
the actual Bob's measurement along Y basis does not 
coincide with the measurement along Y basis, however 
they do only when N = 1, 2 thanks to the existence of 
the squash operator for the six-state protocol 0|. This 
gives the same mutual information for N = 1,2 as the 
one of the qubit-based six-state protocol. We note that 
to employ BB84 squash, we have to randomly pick up 
two bases (for the explanation, we assume that we have 
chosen X and Z bases) out of the three bases in the ac- 
tual protocol. This random choice does not change the 
actual protocol at all. The reason is that we can always 
split the basis choice into two steps: the first one is the 
choice of two bases out of the three and then one basis 
is chosen from the two. Moreover, we assume in the ac- 
tual protocol that Alice and Bob perform joint random 
bit-flip operation to make the analysis simpler. 

To analyze N = 3 case, we use the symmetry of the 
density operator. As a result, we can estimate the mutual 
information. Finally, by mixing up the photon number 
state N = 1,2,3 based on the worst case scenario, we 
show that the bit error rate threshold for the six-state 
protocol with threshold detectors is 12.611%. This is the 
end of outlining the proof, and we explain why N > 3 
can be neglected and the derivation of the bit error rate 
threshold in what follows, in which we take the asymp- 
totic limit such that the number of the pulses is infinite 
and we neglect statistical fluctuations. 

Our goal is to minimize H(Z\X), and observe that 
this quantity can be rewritten as the convex combi- 
nation of the conditional Shannon entropy H(Z\X) — 
Y,n=i P nH(Z\X)( n \ where H(Z\X)W is the condi- 
tional Shannon entropy that is derived from X-photon 
detection event by Bob. Imagine that we make a two- 
dimensional (2D) plot of H(Z\X)( N > as a function of 
the bit error rate et,- The convex combination suggests 
that we have to consider a convex hull, each of whose ex- 
treme points corresponds to (eb, H{Z\X)^ N n in the 2D 
plane. Thanks to the existence of the squash operator 
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FIG. 1: Plotof#(Z|V) (1 ' 2) (dashed line), h(e b ) (dotted line) , 
1 — h(eb) (dot-dashed line), and a tangent (solid line) whose 
tangent point (B=(0.12619.., 0.54690..)) is the intersection 
of 1 — h{eb) and H(Z\X) (1 ' 2 \ We can neglect any point in 
the gray-filled regime for the security. 

for the six-state protocol Q, the plot of H(Z\X) (1 ^ = 
H{Z\X)W for N = 1,2 is the same as the one of the 
qubit-based six-state protocol Q, which is expressed as 

H{Z\X)M = e b + (1 - eh )h ( 2(1 ^ eb) ) • « 

Here, h(x) = —x\og 2 x — (1 — ir)log 2 (l — x), and 
H(Z\X)( 1,2 ^ is depicted in Fig. [Tj as the dashed line, in 
which h(e b ) (dotted line), 1 — h{e^) (dot-dashed line), 
and a tangent (solid line) are also plotted. The bit error 
rate of the intersection (A) of the dotted line and the 
dot-dashed line represents the bit error rate threshold of 
BB84, and the one (B) of the dot-dashed line and the 
dashed line represents the bit error rate threshold of the 
six-state protocol up to N = 2. C is the intersection of 
the dotted line and the tangent whose tangent point is B. 
Note that H(Z\X)( N *> for any N > 3 can never be larger 
than /i(eb) (dotted line) as we use the squash operator 
for BB84. Also note that the dotted and dashed lines are 
concave, and an achievable point can be generated by the 
convex combination of a point along the dashed line and 
a point below the dotted line such that the average bit 
error rate coincides with the observed error rate. Sup- 
pose that we take convex combination of a point along 
the dashed line whose bit error rate is lower than the bit 
error rate of B (12.619..%) and a point in the gray-filled 
region. Since this convex combination only decreases the 
mutual information, it follows that we neglect any pho- 
ton number state whose minimum bit error rate is larger 
than the bit error rate of C (25.677...%). According to 
analysis in 16], it turns out that the minimum bit error 
rate is strictly larger than 25.677...% for N > 4 (note 
that the minimum bit error rate is not zero for N > 2 
since only the singlet state (N = 1) has the symmetry 
that has the zero bit error rate). Thus, we are left with 
working only on N — 3 case. 

For the derivation of H(Z\X)^\ we first consider 

(3) 

symmetrization of the state /Csym that Alice and Bob 
share. Recall that our protocol is invariant under the 
interchange of the basis and bit-flip in each basis. This 
symmetrization process is represented by a group G 
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FIG. 2: Fig. [T] without its tangent and with (e b , H(Z\X) (3) ) 
taking values in the shadow regime. H(Z\X) for e& < 0.115... 
is H(Z\X)( 1 ' 2 ' 1 (dashed line) and the solid line represents 
H(Z\X) for 0.115... < e b < 1/4. The solid line is a tan- 
gent of the dashed line at D = (0.115..., 0.42407...), which 
means the slight degradation of the bit error rate threshold. 



that is generated by {R a } where R a is 7r/2 rotation 
along a-basis (a — X, Y, Z) of a qubit state. Also 
note that any rotation of the state on M 1 , which is an 
orthogonal complement to H being spanned by {|ab)® 4 }, 
does not change the measurement outcomes since the 
state on "Hr always induces double-click (one can also 
check this with POVM to be mentioned). Thus, we 
are allowed to work on the symmetrized density matrix 
p£> m = fdUJ2 geG [g ■ l w x ®U n ]p 3 [g • l w x © U n f/\G\. 
A bit tedious calculation with Shur's lemma gives us 
Psym = r P + rj.Pi + r 2 P 2 + r 3 l n ± [16], where r m > 
(to = 0,1,2,3), and Po,i,2 is a projector onto the 
subspace spanned by {j-1/2, -3/2) - |l/2,3/2), 
V3 1-1/2, -1/2) + 11/2,-3/2), V3|l/2,l/2) + 
1-1/2, 3/2)}, {|-l/2, 1/2) - |l/2,-l/2), |-l/2, -1/2) - 
v'S |l/2,-3/2>, |l/2,l/2) y/3 |-l/2, 3/2)} and 
{|-l/2,l/2) + 11/2,-1/2), |-l/2,-3/2) + |l/2,3/2)}. 
Here, the first (second) index in each ket represents Z 
component of Alice's (Bob's) i-spin (3 ^-spins with 
total angular momentum being 3/2) with eigen values 
being 1/2 and -1/2 (3/2, 1/2, -1/2, and -3/2). 

To calculate the mutual information, we consider 
what error rate (e^) we would have obtained if we 
had performed the measurement along Y basis onto 
Alice and Bob's qubit, in which Bob's qubit is de- 
fined through the BB84 squash operator. Bob's POVM 
{M® 4 } corresponding to detection of the bit value 
b = —1,1 along a basis is represented by M ab = 

±(l>(\a b )f N -P(\a. b )f N + where P (\a b )) = 

\a b ) (oib\ and 1/2 represents the random assignment of 
the double-click event, and POVM for detecting a-basis 
error r a is [ll| T a = P {\a x )) ® M ai + P (|a_i)) ® M a _ 1 . 
POVM for detecting Y basis error on qubit pair is 
given by f„ = P(|Yi)) ® 7^384 {P {\Yi))) + P (\Y^)) ® 
■^BB84 {P (l^-i)))) where J 7 bb84(0 is a uiap from the 
qubit space to 3-photon space, which is represented by 
Kraus operator for the BB84 squash [1,0]. Using all of 
them, the bit error rate e b and ey are respectively repre- 
sented by e b = TrT a pi 3 y \ n = \r - |n + \r 2 + \ and e s = 
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Trf yPsym = 5^0 — \t\ + 57 and what we have to do is to 
derive eg as a function of e b and to maximize H(Z\X)( 3 \ 

In the equation of e b and eg, we erase the parameter 

(3) 

by using the condition Trp sym — 1, which follows that 

(3) 

the positivity condition of pl ym reads ro, r% , r-x > and 
3r'o + 3fx + 2r2 < 1. By introducing a parameter set 
{£, s, u} with < t, u < 1 and — 1 < s < 1, we can express 
r = itt(l + s)/6, n = ui(l — s)/6, and r2 = u(l — i)/2, 
and we use this parameterization to derive the regime 

{eb, eg} that p svm can take. The regime is represented by 
the triangle with vertices being {1/4,1/3}, {7/12,2/3}, 
and {3/4,1/2} in {e^ eg}-plane, which means that ey is 
always bounded by linear functions of e b . This triangle 
can be translated into the shadow regime in Fig. [2] via 
H{Z\X)^ = e b h[{2e b -ey)/(2e b )} + {l-e b )h[ey/{2-2e b )} 
that coincides with H(Z\X)^ 1 ^ when e b = eg, and we 
note that the tangent in Fig. [T] crosses the shadow regime 
in Fig. [2] so that the bit error rate threshold should de- 
grade. By considering the convex hull of H(Z\X)W for 
N = 1,2,3, the upper bound of H(Z\X), which we ex- 
press as H(Z\X), is given by 



H(Z\X) 

( H{Z\X) { - 1 ' 2 ) in case 0.115... > e b 

\ (2.82...) e b + 0.0976... in case \ > e b > 0.115... 

This is also shown in Fig. [2] From this expression, we 
can der ive the b it error rate threshold of 12.6112...% by 
solving H(Z\X) = 1 — h (e b ) with respect to e&. 

Remarks: For the first sight, our analysis assumes that 
Alice and Bob's pair states are identically and indepen- 
dently distributed. A way to treat unconditional security 



is to use the argument based on quantum de Finetti the- 
orem [lTj or Azuma's inequality [HI, HU . In the latter ar- 
gument, we consider an arbitrary whole Alice and Bob's 
state, not just a pair state, and we consider to perform 
the Bell basis measurement from the first qubit pair in or- 
der. p S ym is now interpreted as the state of a particular 
qubit pair conditional on arbitrary Bell basis measure- 
ment outcomes. It follows that eg and e b are probability 
also being conditional on the outcomes, which is a prop- 
erty required in applying Azuma's inequality, and most 
importantly the relation between them are linear as we 
have already mentioned (for 4 < N case, it is given by 
< eg < 1 and 0.25677... < e b ). Thus, we can convert 
our analysis into the analysis of the unconditional secu- 
rity proof by using exactly the same argument as [l9l | . 

To summarize, we prove the unconditional security of 
the six-state protocol with threshold detectors. For the 
proof, we propose a technique to determine which photon 
number states are important, and we employ the squash 
operator for BB84 and the estimation of the mutual in- 
formation that can be obtained via Y basis fictitious mea- 
surement on the resulting qubit state. In this letter we 
consider one-way quantum communication protocol, and 
our analysis may apply to two-way quantum communi- 
cation protocol such as BBM92 type QKD [20] , which we 
leave for the future study. Security proof of other pro- 
tocols with threshold detectors are also another future 
works. 
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